Welcome to XDA

Search to go directly to your device's forum

Register an account

Unlock full posting privileges

Ask a question

No registration required
Post Reply

DEV ONLY - NAND access + Full Unlock for Lumia 710 & 800

OP biktor_gj

22nd April 2012, 09:43 PM   |  #681  
donpromillo's Avatar
Member
Thanks Meter: 15
 
66 posts
Join Date:Joined: Nov 2011
More
I searched a bit in rom-files and found OEM_7x30_MODEM.cab. It contains a file "modem" which seems interesting in 2 ways.

First:

I'm a lazy man and enthusiast of analogism and think, that developers at microsoft are lazy too and reuse code : Is it possible, that the procedure to pack the data for modem into one file and encrypting it is the same then in backup procedure? Look at the file which starts with a xml part, describing the crypting algorithm for the payload.


Code:
<?xml version="1.0" encoding="UTF-8"?>
<SSD_METADATA>
<MD_SIGN>
    <MD_VERSION>1.3</MD_VERSION>
    <MFG_ID></MFG_ID>
    <SW_VERSION></SW_VERSION>
    <IEK_ENC_INFO>
        <IEK_ENC_METHOD>RSA-1024</IEK_ENC_METHOD>
        <IEK_ENC_PADDING_TYPE>PKCS#1-V1.5</IEK_ENC_PADDING_TYPE>
        <IEK_ENC_PUB_KEY_ID>NFam5Ryq2eM2EQ04EqlMEm2sppaxqh2kbc68ggJmfdM=</IEK_ENC_PUB_KEY_ID>
        <IEK_CIPHER_VALUE>Ci8igrQ69DQ/CqfRenEqrqrJHLU5dUgNMolOQS3irzQjuHY9CdybeWy+ThIafiok1ZD5qgsbb4n96lR13c3k+NkYAbnd7xi5sib1aIbqLOg2AKHH5rtclTp8GGzessaflPivkQH3AVoEL5fMfYpJYPULCFVOn1EwaKQBt/SFY4E=</IEK_CIPHER_VALUE>
    </IEK_ENC_INFO>
    <IMG_ENC_INFO>
        <IMG_ENC_METHOD>AES-128-ENCRYPT</IMG_ENC_METHOD>
        <IMG_ENC_PADDING_TYPE>RFC_2630</IMG_ENC_PADDING_TYPE>
        <IMG_ENC_OPERATION_MODE>CBC_MODE</IMG_ENC_OPERATION_MODE>
        <IMG_ENC_IV>2ZQOB2U6lZ9ky84o7qOW0w==</IMG_ENC_IV>
        <IMG_ENC_IMG_SIZE>23112352</IMG_ENC_IMG_SIZE>
    </IMG_ENC_INFO>
    <IMG_HASH_INFO>
        <IMG_HASH_METHOD>SHA-256</IMG_HASH_METHOD>
        <IMG_HASH_VALUE>V8G3czcnj/2wd5ZejWtsgQto+4qX2zQ77iWFBKEja1A=</IMG_HASH_VALUE>
    </IMG_HASH_INFO>
    <MD_SIG_INFO>
        <MD_SIG_DGST_METHOD>SHA-256</MD_SIG_DGST_METHOD>
        <MD_SIG_METHOD>RSA-1024</MD_SIG_METHOD>
        <MD_SIG_PADDING_TYPE>PKCS#1-V1.5</MD_SIG_PADDING_TYPE>
        <MD_SIG_OEM_PUB_KEY_ID>XKCYyiLufvHyG1NqylHXl/rwfPecv57Q/8r4qvrfB60=</MD_SIG_OEM_PUB_KEY_ID>
    </MD_SIG_INFO>
</MD_SIGN>
<MD_SIGNATURE>j0F3B6ERPOg8olsz9rhM2ypdRZYxwcWgtN+X4FSLZFB9Trhsq9irpuAxkXWignKMGC0T5iJ3dEnd1S02SHucUI6wCmOkbzecvvbWIubotptMC4Xi6llaS9odtkZyLPH7ujDxe3c/iURyiIyF0qg7ivUP4fD5qpsPfFCuQiHL7sc=</MD_SIGNATURE>
</SSD_METADATA>

Second (is a guess, inspired by the ver.ver file which has a 7.35.00 in it, exactly like the bootloader version ):

the packed and crypted parts of "modem" are unpacked to partition sdx3 on Lumia as adsp.mbn, amss.mbn and emmcboot.mbn, which could be the bootmodes called when a backup/restore runs.
So my question is: Could someone with a full unlocked lumia search through the files on the phone for a similar xml file, containing configuration for image encryption and what programs or processes call them?
The Following User Says Thank You to donpromillo For This Useful Post: [ View ]
22nd April 2012, 11:38 PM   |  #682  
Heathcliff74's Avatar
Recognized Developer
Thanks Meter: 2,056
 
1,439 posts
Join Date:Joined: Dec 2010
Donate to Me
Quote:
Originally Posted by donpromillo

Hi Heathcliff74,

are the certs on the phone refreshed every month with a new private key or refreshed using the same private key. If the latter is correct, then there is a chance that a cert is part of the backup encryption. If the private key changes, then it would impact, thats this is not a part of backup encryption, cause every backup older than the actual certificate becomes undecryptable, when the private key changes and no "master key" exists.
Regards

DonPromillo

I think these certs have only a public part. The encoding and decoding of the backup are probably working by getting the appropriate certs from an MSFT server at the start of an backup or restore action. The public certs are only for talking properly with different MSFT servers. I have not investigated this. This is just my educated guess. Maybe, if I have time, I will look into it later. If you have any specific questions that I may be able to answer, just ask.

Heathcliff74
The Following User Says Thank You to Heathcliff74 For This Useful Post: [ View ]
23rd April 2012, 12:48 AM   |  #683  
Senior Member
Thanks Meter: 42
 
184 posts
Join Date:Joined: Nov 2009
Quote:
Originally Posted by Heathcliff74

I think these certs have only a public part. The encoding and decoding of the backup are probably working by getting the appropriate certs from an MSFT server at the start of an backup or restore action. The public certs are only for talking properly with different MSFT servers. I have not investigated this. This is just my educated guess. Maybe, if I have time, I will look into it later. If you have any specific questions that I may be able to answer, just ask.

Heathcliff74

A few post earlier he said he could make a backup without a network connection (unplugging the cable). This would mean the certs do have the private parts included?
23rd April 2012, 01:03 AM   |  #684  
Heathcliff74's Avatar
Recognized Developer
Thanks Meter: 2,056
 
1,439 posts
Join Date:Joined: Dec 2010
Donate to Me
Quote:
Originally Posted by donpromillo

Thanks biktor_gj,

my idea behind the question is the following, and I would to know, if my assumptions are logical:

I discovered, that in the backup process with zune all data sent between the phone and the zune-pc are scrambled before they reach the pc (I snooped the usb data stream and could find that the beginning of the usb data stream is the same as the beginning of the stored files in the zune backup folder)
So my assumption is, that scrampling the backup is done by phone. Furthermore, I can backup without any network connection, so all the things needed must be present on phone. If so, then if I'm able to identify the encryption process and it's parameters, I should be able to decrypt the stored files in zune backup folder too, provided, I were able to port that process to x86-procedures. And the last assumption: If I'm able to decrypt the backup files, it could be possible to edit these and re-encrypt the edited files. After that, they should be used to restore in normal restore process using zune.

Am I right?

DonPromillo

Quote:
Originally Posted by Heathcliff74

I think these certs have only a public part. The encoding and decoding of the backup are probably working by getting the appropriate certs from an MSFT server at the start of an backup or restore action. The public certs are only for talking properly with different MSFT servers. I have not investigated this. This is just my educated guess. Maybe, if I have time, I will look into it later. If you have any specific questions that I may be able to answer, just ask.

Heathcliff74

Quote:
Originally Posted by Briefcase

A few post earlier he said he could make a backup without a network connection (unplugging the cable). This would mean the certs do have the private parts included?

donpromillo,

Are you sure you can do this without network? I'm pretty sure this is not possible. Maybe you had Wifi and 3G disabled. But you say you were snooping the USB connection while you were making a backup. At that moment, the phone uses your PC to get an internet connection too. :P

So if you really want to test if all info is on the device, you should also disconnect your pc from the internet. If you have your phone in airplane mode and your pc has both wifi and ethernet disabled, you will probably get an error if you try to make a backup.

Ciao,
Heathcliff74
The Following User Says Thank You to Heathcliff74 For This Useful Post: [ View ]
23rd April 2012, 01:14 AM   |  #685  
Senior Member
Thanks Meter: 25
 
152 posts
Join Date:Joined: Dec 2011
Quote:
Originally Posted by Heathcliff74

So if you really want to test if all info is on the device, you should also disconnect your pc from the internet. If you have your phone in airplane mode and your pc has both wifi and ethernet disabled, you will probably get an error if you try to make a backup.

If this is true - that means anyone who doesn't have a data connection can't make a backup of their phone... Surely Microsoft wouldn't allow that???
23rd April 2012, 01:23 AM   |  #686  
Heathcliff74's Avatar
Recognized Developer
Thanks Meter: 2,056
 
1,439 posts
Join Date:Joined: Dec 2010
Donate to Me
Quote:
Originally Posted by tjramage

If this is true - that means anyone who doesn't have a data connection can't make a backup of their phone... Surely Microsoft wouldn't allow that???

Why not? When was the last time you saw a smart phone with no connection at all (not Wifi, no 3G and not ethernet over USB)??
23rd April 2012, 03:59 AM   |  #687  
lilstevie's Avatar
Senior Recognized Developer
Thanks Meter: 1,041
 
1,334 posts
Join Date:Joined: Apr 2009
Donate to Me
More
Quote:
Originally Posted by Heathcliff74

Why not? When was the last time you saw a smart phone with no connection at all (not Wifi, no 3G and not ethernet over USB)??

The backup is done in SCDL so wifi and 3G of the device would be disabled anyway
23rd April 2012, 05:51 AM   |  #688  
voluptuary's Avatar
Senior Member
Flag Mukwonago
Thanks Meter: 747
 
941 posts
Join Date:Joined: Dec 2010
Donate to Me
More
So, I've built ROM's for the Samsung Focus and for the HTC HD2. Both of these have flashing tools to allow us to flash the fancy new ROM's we built to our phones. If we have the unlocked bootloader can't we just rebuild the esco and flash that with QPST? Or is there something I am missing? Building the Lumia ROM in OSBuilder seems to be the same as other devices. So if I just take the .nb that is built and rename it boot.img then add that to a zip and then rename that zip bla_bla_rom.esco will that not work? Or is there something more? Does the Qualcomm bootloader still need signed files of some sort? I ask this becuase if we can do it this way then we won't have the Live services activation issues as well ass the other odd problems plus it is just way more end user friendly.
Last edited by voluptuary; 23rd April 2012 at 05:53 AM.
23rd April 2012, 06:39 AM   |  #689  
Senior Member
Thanks Meter: 25
 
152 posts
Join Date:Joined: Dec 2011
Quote:
Originally Posted by Heathcliff74

Why not? When was the last time you saw a smart phone with no connection at all (not Wifi, no 3G and not ethernet over USB)??

Good point. But I figured there is a possibility someone may not have a data connection and need to create a backup... If it was me, I wouldn't disallow people in those circumstances to backup their phone... But maybe Microsoft is different.

Quote:
Originally Posted by lilstevie

The backup is done in SCDL so wifi and 3G of the device would be disabled anyway

I may be wrong, but I think Heathcliff74's point is that the cert-checking is done before the phone enters this mode.
23rd April 2012, 07:04 AM   |  #690  
JusThinK's Avatar
Senior Member
Flag Chandannagar
Thanks Meter: 111
 
312 posts
Join Date:Joined: Oct 2011
Donate to Me
More
Wink
Quote:
Originally Posted by tjramage

Good point. But I figured there is a possibility someone may not have a data connection and need to create a backup... If it was me, I wouldn't disallow people in those circumstances to backup their phone... But maybe Microsoft is different.



I may be wrong, but I think Heathcliff74's point is that the cert-checking is done before the phone enters this mode.

As far as I know, there is no real backup procedure available for Windows Phone, The way all current backup tools work by fake firmware update, which actually initiate zune to create a restore point. So, this entire process related to firmware update via zune, which actually required internet connection.

PS: I will try a offline backup today, will update the result.

Post Reply Subscribe to Thread

Tags
android, bootloader, full unlock, interopunlock, nand
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes